Tue, 13 Apr 2010

${Work} has decreed that passwords must be changed regularly and today it was my turn.
Fine, despite the usual silliness in reducing the key space (by enforcing certain sets
of characters to be present) and a ridiculous maximum length of 8 characters,
I can deal with that. pwsafe generates and
remembers the password for me. After a while I even manage to remember it myself.

Clearly that's not a good rant. This, however, is worth complaining about:

That's the brand shiny new piece of *(*^#%*@% password change tool I'm supposed to use to change my password.
The first thing it does is demand four security questions. Yes, that's right, someone's been stupid
enough to think they do anything other than reduce security.
I did the obvious thing:

dd if=/dev/urandom bs=1k count=10 | md5sum

Just divide the result in four more or less equal parts and there's the answers to the insecurity questions.
Simple, except it rewards me with the above session timeout.
Note that 'back' and 'forward' should not be used, in defiance of 20 years of precedent.
Also note that if you're a slow reader you'll just get the login page again.
After all, it's not nice to show error messages to the users. It upsets them so
it's best to hide them as soon as possible.